Search squid archive

Re: Correctly implementing peak-splice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/04/2014 02:26 PM, James Lay wrote:

Thanks a bunch Christos,

That list of IP's is things like apple.com, textnow.me, and windows
updates...IP's that simply don't bump well.  My setup is a linux box
that's a router...one NIC internal IP, the other external IP.  Via
iptables redirect, I'm transparently intercepting the web traffic of a
few devices, only allowing them access to the list of sites in url.txt.
At issue with using the broken_sites list, is that I have to just
specify large chucks of netblocks, which I lose control and visibility
of.  What I'm really hoping for is for a way for squid to be able to, in
my case at least, look at either the server_name extension in the Client

You need to build your own external_acl helper which will take as input the client sni (server_name extension). Read squid wiki for informations about external acl helpers:
 http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29

It is easy to build one in perl or as a shell script. I am suggesting to build an external_acl helper which return "OK" when the sni matches or no sni information exist.

You can use the following configuration or similar:
#
external_acl_type EXTACL %ssl::>sni /path-to-my/external-acl-helper.sh
acl EXTACL external EXTACL

acl step1 at_step  SslBump1
acl step2 at_step  SslBump2
acl step3 at_step  SslBump3

# At first step peek all
ssl_bump peek step1 all
ssl_bump splice step2 EXTACL
ssl_bump bump all


Hello, or, if that's not present, look at the dNSName of certificate
being sent, check the access against url.txt, and either allow or deny.

In your case the server certificate informations will not work well. At the time this information is available:
    1) in peek mode, you can not bump any more
    2) in stare mode, you can not splice any more.
There are exceptions to the above rules (for example in case the client uses the same SSL library with squid) but the SSL protocol is enough safe to not allow us to make something better than this.

Regards,
   Christos


Ssl_bump does work well for most sites...and I understand we are
performing a man in the middle attack so it's not supposed to be easy.
Again my hope isn't really to perform a mitm...more of an access control
type thing.  Thanks again Christos...I hope I explained this well
enough.

James

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux